We're running JM+Sniffer and still having some problems with phishes. Here's the headers of a message that passed through and didn't trip a single test. Our user got 140 of these in a period of a few hours. He always seems to be on the front end of these things.
I'm running spf so it didn't fail that. Notice the envelope from and the from though. Any ideas on how to combat this? What about some type of combo test or something that could look at the "from" the user sees and compares against known good IPs for companies like ebay, paypal, citibank, etc? If anybody has a good way of catching these your input would be greatly appreciated. Received: from outbound3.example.net (outbound2.example.net [16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500 Received: from mail2.example.net (unknown [10.1.16.2]) by outbound3.example.net (Postfix) with ESMTP id BB00767835 for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:12 -0500 (EST) Received: from mx1.example.net [192.168.200.60] by mail2.example.net with ESMTP (SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500 Received: from vps.parlori.net (vps.parlori.net [216.22.48.204]) by mx1.example.net (Postfix) with ESMTP id BCFE143AC2 for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:23 -0500 (EST) (envelope-from [EMAIL PROTECTED]) Received: from nobody by vps.parlori.net with local (Exim 4.44) id 1D1FAQ-0001Yt-6Z for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600 To: [EMAIL PROTECTED] Subject: Security Validations From: eBay <[EMAIL PROTECTED]> Reply-To: MIME-Version: 1.0 Content-Type: text/html Message-Id: <[EMAIL PROTECTED]> Date: Tue, 15 Feb 2005 20:43:54 -0600 X-Note: Spam Score: 0 example.net is us -- Best regards, David mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.